Flashback.C Trojan-Downloader

How can I check that the Flash update I did wasn't this trojan?

I checked the version of Flash I'm running and it is the latest (11.0.1.152), so it looks like it has been updated recently.

If that's the version you installed then you are probably ok. Where did you download the installer from (adobe and macupdate are reliable)? Also look in your /Library/Internet Plug-Ins for the Flash Player.plugin and flashplayer.xpt. You should also have a prefPane called Flash Player.

Here is a complete list of the (Flashback trojan) files installed:

1. .MacOSX/environment.plist
2. Library/LaunchAgents/com.apple.SystemUI.plist
3. Library/Preferences/perflib
4. Library/Preferences/Preferences.dylib
5. Library/Logs/swlog

Use the free Easy Find and search for the files (start with #4 "Preferences.dylib" first)

http://download.cnet.com/EasyFind/3000-2248_4-8707.html

Delete all those (may need to turn on hidden files with TinkerTool to get the .MacOSX folder to show, then turn it off) and reboot

more info here, follow Linc Davis posts,

https://discussions.apple.com/thread/3349492?start=60&tstart=0

Best thing to do is backup files and Wipe and install

https://discussions.apple.com/thread/3358920

I believe the files on that "complete list" only apply to the earlier versions of the Flashback Trojan.

From a recent Intego Security blog posting:

-------

We’ve seen several variants of the Flashback Trojan horse, since Intego first discovered this malware on September 26. The latest version, Flashback.D, has gotten a bit sneakier.

.

.

Finally, it no longer installs the easy-to-spot ~/Library/Preferences/Preferences.dylib. Instead, it installs the backdoor inside Safari, and does so in two ways. It adds information to Safari’s info.plist file, with the location of the backdoor, and it adds the actual backdoor module at /Applications/Safari.app/Contents/Resources/UnHackMeBuild.

--------------------------

I just rebooted this morning. I'm seeing the latest XProtect update from Apple appears still as Oct. 14 for .A. So Apple is way behind the curve on .B (if there is a .B) .C & .D.

>orienter: I don't have any of those files, but I also don't have the file: /System/Library

It's here. And you must have /System/Library or your computer wouldn't be working at all.

XProtect.plist location: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist .

WZZZ, I found the XProtect.plist but how do I find out what version it is?

Thanks!

I think you are fine. One precaution for the future is never to click on a link in a popup notice that says that you need to download a Flash update (or anything else!). Instead, dismiss the popup and go directly to Adobe's download site via your browser.

orienteer wrote: My XProtect.plist is dated 17 Oct and only has OSX.FlashBack.A listed.

Hmm, as I said above, my most recent is dated Oct 14. ???

I don't have any of those files, but I also don't have the file: /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

should I?

Badly misread that before. Yes, you should have it. Don't know why it would be AWOL. Check again?

WZZZ wrote:

I just rebooted this morning. I'm seeing the latest XProtect update from Apple appears still as Oct. 14 for .A. So Apple is way behind the curve on .B (if there is a .B) .C & .D.

According to Intego they found this version a week ago and call it Flashback.D, so Apple may be OK. Based on the MD5 hash that F-Secure posted, ClamXav matches it with OSX.Flashback-3 which was also made available on Oct 14. I can only guess that Apple must be calling everything .A.